Deep Dive Android 2015
OBJECTIVE
Android is the leading Operating system. It is used not just in Smartphones / Tablet but also is used as base for interactive Television, gaming console and lot more systems. The obvious resultant is that there is a large focus towards developing applications for this platform and to maintain its security. This workshop aims to equip information security professionals with knowledge about Android Operating system and how to ensure that the application are followin best security practices.
Students of this course will learn how to operate and make the best of the Android Tamer Virtual machine environment specifically designed for android penetration testing, from its creator. After taking this course you will be in a position to comfortably assess Android mobile application. You will be able to identify potential security issues as well as suggest possible remediations for issues such as Insecure Data Storage, Insufficient Transport Layer Protection, Unintended Data Leakage, Poor Authorization and Authentication, Broken Cryptography, Client Side Injection, Security Decisions Via Untrusted Inputs, Improper Session Handling, Lack of Binary Protections and more.
COURSE CONTENT
- Understand Android
- Operating System Overview
- File system Overview
- Security Model
- Understand Android Application
- Application Components
- Application Structure
- The SDK and Android Tools
- Developing a basic application
- Penentration Testing Setup and methodology
- Introduction to Android Tamer
- Setting up the environment
- Penetation testing approach
- Reverse Engineering basics
- Rooting basics
- Manual Pentesting
- Automated Pentesting via Drozer
- Dynamic Instrumentation via Xposed Framework
- Being secure
- Writing Secure Code
- Writing Python Scripts for automating android pentests
- Checklist for android applications
PRE-REQUISITE
Basic familiarity of Linux usage
Python scripting knowledge is a plus, but not extremely required
PARTICIPANTS REQUIREMENTS/WHAT TO BRING
Windows 7/8 , Ubuntu 12.x +, Macbook (2011 or above model)
Administrative access on your laptop with external USB allowed
Laptop Processor should support Virtualization
Atleast 20+ GB free hard disk space
4 GB or more RAM
Genymotion installed (Downloadable from https://genymotion.com)
DURATION
1 day
WHAT TO EXPECT
Getting started with Android Security
Reversing and Auditing of Android applications
Finding vulnerabilities and exploiting them
Hands-on with different Android components from security perspective
WHAT NOT TO EXPECT
To be an Android Hacking Expert/Ninja in a matter of 1 Day. Even though this training would take you to a considerably high level in Android Security/Exploitation, and impart you with all the necessary skills needed, you need to work on your own and use the skills learnt in the training class to continue your Android Security explorations.
WHO SHOULD ATTEND
Security Professionals
Web Application Pentesters
Application Developers
People interested to start into Android security
Ref: https://is-ra.org/c0c0n/2015/workshops#Anant_Shrivastava